Preventing non-cached writes to normal files

zziss · May 15, 2025, 3:07pm

Hi all, this topic was probably discussed before, but unfortunately I couldn't find an explanation for the behavior I am experiencing.

I am developing a minifilter driver which goal is to prevent certain contents from being written to a (normal) file (could be any file).
My idea was to set a PreWrite callback which will check for this data and block accordingly. I only want to audit the IRPs that actually write data to disk, so I first check if IRP_NOCACHE is set, and if so - only then check the data.
Attaching a POC:

FLT_PREOP_CALLBACK_STATUS
MyPreWrite(
Inout PFLT_CALLBACK_DATA Data,
In PCFLT_RELATED_OBJECTS FltObjects,
Flt_CompletionContext_Outptr PVOID* CompletionContext
)
{

if (!FlagOn(Data->Iopb->IrpFlags, IRP_NOCACHE)) {
    return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

if (!is_interesting_file(Data->Iopb->TargetFileObject)) {
    return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

if (!is_interesting_data(Data->Iopb.Parameters.Wite)) {
    return FLT_PREOP_SUCCESS_NO_CALLBACK;
}

Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0;
return FLT_PREOP_COMPLETE;

}

The issue is that it seems that in this case the lazy writer will keep on trying to flush the data forever.
I also tried to set the Status to STATUS_SUCCESS. In this scenario the lazy writer does stop, but the data is being written to the disk.

Is this the expected behavior? And if so, how do I prevent the contents from being written? I don't want to audit every cached write as these are probably way more frequent.

Appreciate your help.

Mark_Roddy · May 15, 2025, 4:16pm

If you are returning STATUS_SUCCESS and completing the request in the pre-write routine, then I don't think the data is actually written to disk. It will however be in the cache, which would make it appear to be 'on disk'.

zziss · May 19, 2025, 4:25pm

@Mark_Roddy thank you, you were right - returning STATUS_SUCCESS works as expected.
The issue in my case was that I tested with small files on NTFS formatted disk. for small files, blocking the IRP that targeted the specific file wasn't enough because the data is also written directly to the $MFT file.
For big files - everything worked as expected.

Slava_Imameev · May 19, 2025, 9:37pm

IRP_NOCACHE is an advise for a file system driver, in the absence of IRP_PAGING_IO this flag can be ignored by a file system driver. The only flags that don't allow a file system driver to use the cache is IRP_PAGING_IO and IRP_SYNCHRONOUS_PAGING_IO. But even IRP_PAGING_IO doesn't guarantee that data goes to a disk. This flag says - do not use file system cache, but other ways to cache data or delay IO can be used, like intermediate buffering, even with buffers allocated in paged pool as it is allowed to take page faults for pages in a paged pool, i.e. backed by a swap file, when processing IRP_PAGING_IO for a regular file.